brakeman 4.9.1 → 4.10.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 0e74c091d971966f1da9c247651b9d7250c33ddb826d1932c6d0a67e4bdc7642
4
- data.tar.gz: bf1253b2db22fc51df78cec8610589e05598e3dbf7228f83753acdf3078920f7
3
+ metadata.gz: 5b1be4496aae700f3a9f60ba8ce4502b8ad278669336e9b76e35b626a2c0ec67
4
+ data.tar.gz: 1f550b46ffcf86e0bdb8ecd6c98d531db2a33e76697c2a7877703bcb7c6f8a15
5
5
  SHA512:
6
- metadata.gz: db82e3110b5b4b64abeb931f08bccd391eb5e061909cf9bd2e57663fcdc4fcf8d6bc77b848ebe16908480a82e1cb7f5558b74557b920a8e793a2dfc9fab4d099
7
- data.tar.gz: 75f4ecea562306868dfe682228d109a8991c57beca83a7222085561d74fd8a3d4338fd79d058a18ddeb7f8a4beb33ebca6b6fe732250cb9d44fd75da197d951c
6
+ metadata.gz: 54daba5852a749294bc3f4d62f511a9e04d8befb1cf44e984390cb37e3ecbde493948bc0fc475140c38da450434a5bf4b644028ac9706d7aaf02b4edecdcd86b
7
+ data.tar.gz: adcdaa789d59514e1909beb72f79c32debcc2bf4f351ea95ad2292226d3061dccb0bf57ca7822e7fdc641b04ba0d643f838b6073f0fe077e149608dbbee1196d
data/CHANGES.md CHANGED
@@ -1,3 +1,7 @@
1
+ # 4.10.0 - 2020-09-28
2
+
3
+ * Add SARIF report format (Steve Winton)
4
+
1
5
  # 4.9.1 - 2020-09-04
2
6
 
3
7
  * Check `chomp`ed strings for SQL injection
@@ -237,6 +237,8 @@ module Brakeman
237
237
  [:to_table]
238
238
  when :junit, :to_junit
239
239
  [:to_junit]
240
+ when :sarif, :to_sarif
241
+ [:to_sarif]
240
242
  else
241
243
  [:to_text]
242
244
  end
@@ -266,6 +268,8 @@ module Brakeman
266
268
  :to_table
267
269
  when /\.junit$/i
268
270
  :to_junit
271
+ when /\.sarif$/i
272
+ :to_sarif
269
273
  else
270
274
  :to_text
271
275
  end
@@ -229,7 +229,7 @@ module Brakeman::Options
229
229
 
230
230
  opts.on "-f",
231
231
  "--format TYPE",
232
- [:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc, :plain, :table, :junit],
232
+ [:pdf, :text, :html, :csv, :tabs, :json, :markdown, :codeclimate, :cc, :plain, :table, :junit, :sarif],
233
233
  "Specify output formats. Default is text" do |type|
234
234
 
235
235
  type = "s" if type == :text
@@ -43,6 +43,8 @@ class Brakeman::Report
43
43
  when :to_junit
44
44
  require_report 'junit'
45
45
  Brakeman::Report::JUnit
46
+ when :to_sarif
47
+ return self.to_sarif
46
48
  else
47
49
  raise "Invalid format: #{format}. Should be one of #{VALID_FORMATS.inspect}"
48
50
  end
@@ -85,6 +87,11 @@ class Brakeman::Report
85
87
  alias to_plain to_text
86
88
  alias to_s to_text
87
89
 
90
+ def to_sarif
91
+ require_report 'sarif'
92
+ generate Brakeman::Report::SARIF
93
+ end
94
+
88
95
  def generate reporter
89
96
  reporter.new(@tracker).generate_report
90
97
  end
@@ -0,0 +1,114 @@
1
+ class Brakeman::Report::SARIF < Brakeman::Report::Base
2
+ def generate_report
3
+ sarif_log = {
4
+ :version => '2.1.0',
5
+ :$schema => 'https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.5.json',
6
+ :runs => runs,
7
+ }
8
+ JSON.pretty_generate sarif_log
9
+ end
10
+
11
+ def runs
12
+ [
13
+ {
14
+ :tool => {
15
+ :driver => {
16
+ :name => 'Brakeman',
17
+ :informationUri => 'https://brakemanscanner.org',
18
+ :semanticVersion => Brakeman::Version,
19
+ :rules => rules,
20
+ },
21
+ },
22
+ :results => results,
23
+ },
24
+ ]
25
+ end
26
+
27
+ def rules
28
+ @rules ||= unique_warnings_by_warning_code.map do |warning|
29
+ rule_id = render_id warning
30
+ check_name = warning.check.gsub(/^Brakeman::Check/, '')
31
+ check_description = render_message check_descriptions[check_name]
32
+ {
33
+ :id => rule_id,
34
+ :name => "#{check_name}/#{warning.warning_type}",
35
+ :fullDescription => {
36
+ :text => check_description,
37
+ },
38
+ :helpUri => warning.link,
39
+ :help => {
40
+ :text => "More info: #{warning.link}.",
41
+ :markdown => "[More info](#{warning.link}).",
42
+ },
43
+ :properties => {
44
+ :tags => [check_name],
45
+ },
46
+ }
47
+ end
48
+ end
49
+
50
+ def results
51
+ @results ||= all_warnings.map do |warning|
52
+ rule_id = render_id warning
53
+ result_level = infer_level warning
54
+ message_text = render_message warning.message.to_s
55
+ result = {
56
+ :ruleId => rule_id,
57
+ :ruleIndex => rules.index { |r| r[:id] == rule_id },
58
+ :level => result_level,
59
+ :message => {
60
+ :text => message_text,
61
+ },
62
+ :locations => [
63
+ :physicalLocation => {
64
+ :artifactLocation => {
65
+ :uri => warning.file.relative,
66
+ :uriBaseId => '%SRCROOT%',
67
+ },
68
+ :region => {
69
+ :startLine => warning.line.is_a?(Integer) ? warning.line : 1,
70
+ },
71
+ },
72
+ ],
73
+ }
74
+
75
+ result
76
+ end
77
+ end
78
+
79
+ # Returns a hash of all check descriptions, keyed by check namne
80
+ def check_descriptions
81
+ @check_descriptions ||= Brakeman::Checks.checks.map do |check|
82
+ [check.name.gsub(/^Check/, ''), check.description]
83
+ end.to_h
84
+ end
85
+
86
+ # Returns a de-duplicated set of warnings, used to generate rules
87
+ def unique_warnings_by_warning_code
88
+ @unique_warnings_by_warning_code ||= all_warnings.uniq { |w| w.warning_code }
89
+ end
90
+
91
+ def render_id warning
92
+ # Include alpha prefix to provide 'compiler error' appearance
93
+ "BRAKE#{'%04d' % warning.warning_code}" # 46 becomes BRAKE0046, for example
94
+ end
95
+
96
+ def render_message message
97
+ # Ensure message ends with a period
98
+ if message.end_with? "."
99
+ message
100
+ else
101
+ "#{message}."
102
+ end
103
+ end
104
+
105
+ def infer_level warning
106
+ # Infer result level from warning confidence
107
+ @@levels_from_confidence ||= Hash.new('warning').update({
108
+ 0 => 'error', # 0 represents 'high confidence', which we infer as 'error'
109
+ 1 => 'warning', # 1 represents 'medium confidence' which we infer as 'warning'
110
+ 2 => 'note', # 2 represents 'weak, or low, confidence', which we infer as 'note'
111
+ })
112
+ @@levels_from_confidence[warning.confidence]
113
+ end
114
+ end
@@ -1,3 +1,3 @@
1
1
  module Brakeman
2
- Version = "4.9.1"
2
+ Version = "4.10.0"
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: brakeman
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.9.1
4
+ version: 4.10.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Justin Collins
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-09-04 00:00:00.000000000 Z
11
+ date: 2020-09-28 00:00:00.000000000 Z
12
12
  dependencies: []
13
13
  description: Brakeman detects security vulnerabilities in Ruby on Rails applications
14
14
  via static analysis.
@@ -515,6 +515,7 @@ files:
515
515
  - lib/brakeman/report/report_json.rb
516
516
  - lib/brakeman/report/report_junit.rb
517
517
  - lib/brakeman/report/report_markdown.rb
518
+ - lib/brakeman/report/report_sarif.rb
518
519
  - lib/brakeman/report/report_table.rb
519
520
  - lib/brakeman/report/report_tabs.rb
520
521
  - lib/brakeman/report/report_text.rb